File access

FACS — the File Access Control Shim — is the layer that applies KACS access control to files. AccessCheck runs once at open; the granted mask is cached on the file descriptor; every subsequent operation reads from the cache rather than re-evaluating. This page covers the model, where it sits, and the rules that flow from it.

Every FACS-managed file descriptor carries a granted access mask, stamped at open by AccessCheck and immutable for the fd's lifetime. Every operation through the fd checks the operation's required mask against this cached value. This page covers what the cache contains, what operations consult it, and the implications of immutability.

Two paths exist for opening a file — kacs_open with an explicit desired access mask, and the legacy openat/open with POSIX flags. Both use FACS, both produce a fd with a cached granted mask, but their semantics around partial grants differ. This page covers both, plus create dispositions, MAXIMUM_ALLOWED, and the SD-at-creation rules.

File SDs are read and written via kacs_get_sd and kacs_set_sd. Both take a security_information bitmask saying which SD components to access — OWNER, GROUP, DACL, SACL, LABEL. The xattr layer is never the path; direct xattr operations on the SD are unconditionally denied. This page covers the syscalls, the access rules, and the special LABEL_SECURITY_INFORMATION flag.

O_PATH fds skip the handle model. exec needs two gates. Append-only handles enforce intent. The sticky bit and POSIX ACLs don't work. NFS clients are authorised locally but enforced remotely. This page covers the edges of FACS — the cases that the standard model doesn't cover by itself.